Freitag, 26. Februar 2016

The delete-all password

Recent discussions revolve around the encryption of phone data and about security features [Bruce Schneiers article]. What comes up is the amount of time needed to decrypt the data by using brute force or more efficient approaches (like using dictionaries). Apple built in a 80 ms delay between two trys and by imposing a maximum number of trys after which all the data is deleted (or at least the part of the key which is stored on the phone).

I'd suggest an additional security feature which is, the "delete-all" password. Instead of only choosing the one password to decrypt the device, I'd like to have offered the possibility to create another password which --- if entered --- forces the data to be deleted (all keys erased).

It would even be possible to define (additionally) automatically many passwords which cause the deletion of the data. Of course, these passwords should be chosen, such that they are not likely to be entered if just a digit of the correct password is missed or a number is turned around.

At a brute-force attack it is then likely, that one of the delete-all-passwords is entered before the correct password. Even with a password with poor security (e.g. 4 digits, only numbers) it would be very probable, that the attacker deleted the data, before encountering the correct key.